curious7
asked on
Planning for raising Domain/Forest functional level and roll back plan
We are upgrading the windows domain and forest to Windows 2008 R2 from Windows 2008.
It is a single forest and single domain with no trusts.
There are a lot of read only domain controllers and the replication delta can be 2 hours or so behind according to the repadmin command.
I plan to upgrade the domain first and then force the replication and then do the forest upgrade.
I will be taking backup of the PDC (which has all FSMO roles) before the change.
Any other things to consider before upgrading the domain?
From what I have read the only roll back plan in case of issues is to shutdown all other domain controllers and then restore 1 DC (PDC in my case).
And then demote and re-promote the other domain controllers.
Is that right? Is there any other quicker rollback plan?
And if above is the only rollback plan then my thinking is that I can just VMware snapshot the PDC and revert to snapshot for PDC in case of issues (making sure that all other DCs are demoted and re-promoted as well after that).
Are there any issues with this plan?
It is a single forest and single domain with no trusts.
There are a lot of read only domain controllers and the replication delta can be 2 hours or so behind according to the repadmin command.
I plan to upgrade the domain first and then force the replication and then do the forest upgrade.
I will be taking backup of the PDC (which has all FSMO roles) before the change.
Any other things to consider before upgrading the domain?
From what I have read the only roll back plan in case of issues is to shutdown all other domain controllers and then restore 1 DC (PDC in my case).
And then demote and re-promote the other domain controllers.
Is that right? Is there any other quicker rollback plan?
And if above is the only rollback plan then my thinking is that I can just VMware snapshot the PDC and revert to snapshot for PDC in case of issues (making sure that all other DCs are demoted and re-promoted as well after that).
Are there any issues with this plan?
When you upgrade the functional levels this is irreversible.
Not true. Since Server 2008 R2 it has been possible to downgrade FFL/DFL. It cannot be done via the GUI though, you would do this with the PowerShell command below to downgrade from 2012 R2 to 2008 R2.
Set-ADDomainMode -Identity “domain.fqdn” -DomainMode Windows2008R2DomainForest Functional Level => least windows server version for your whole server's infrastructure.
To clarify, FFL specifies the lowest DFL possible in the forest. If FFL is is Server 2012 R2, then DFL can be 2012 R2 or higher. But it cannot be 2008 R2. DFL and FFL only relate back to ADDS features, they have nothing to do with the member server OS levels.
Allow the reminder that 2008 R2 is out of support (no security updates) pretty soon.
We are upgrading the windows domain and forest to Windows 2008 R2 from Windows 2008.
just to clarify, you said you are upgrading the forest/domain level to 2008 R2...do you have 2008 R2 domain controllers now or are they 2012/2016 but never raised the functional level?
if you are upgrading domain controllers as part of this to 2008 R2, as stated, it's nearly out of support (just under 5 months left)
...my thinking is that I can just VMware snapshot the PDC and revert to snapshot for PDC in case of issues
this will do more harm than good. you could experience issues doing that; not to mention added administrative overhead demoting and promoting those other domain controllers. way too risky.
unless you have some applications that specify it needs to be at a certain functional level, i don't see much of a risk in raising it
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
From that premise, here's what I'd do...
I'd do a test over the weekend.
This way in case the 1st DC doesn't work you just have to work with those 2 servers (that you have backed up) instead of 20 or 30 with no backup.
Things to consider in case of the Domain controllers have a functional level less than the one that you want to apply.
for example, all domain controllers must have the SAME Functional level that you want to apply for "DOMAIN FUNCTIONAL LEVEL"
and all the servers in domain MUST HAVE the SAME functional level that you want to apply for "FOREST FUNCTIONAL LEVEL"
so if you're the main controller has domain and forest functional level in 2008.
and all your domain controllers are (2012 R2) then you could raise the domain functional level to 2012 without issues.
but In case that you have a server 2008 or 2003 that would be the maximum forest functional level that you should upgrade.
Domain Functional level => least Windows server version for your domain controllers
Forest Functional Level => least windows server version for your whole server's infrastructure.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels